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Abstract. Harmful Internet hijacking incidents put in evidence how 
fragile the Border Gateway Protocol (BGP) is, which is used to exchange 
routing information between Autonomous Systems (ASes). As proved by 
recent research contributions, even S-BGP, the secure variant of BGP 
that is being deployed, is not fully able to blunt traffic attraction attacks. 
Given a traffic flow between two ASes, we study how difficult it is for a 
malicious AS to devise a strategy for hijacking or intercepting that flow. 
We show that this problem marks a sharp difference between BGP and 
S-BGP. Namely, while it is solvable, under reasonable assumptions, in 
polynomial time for the type of attacks that are usually performed in 
BGP, it is NP-hard for S-BGP. Our study has several by-products. E.g., 
we solve a problem left open in the literature, stating when performing 
a hijacking in S-BGP is equivalent to performing an interception. 



1 Introduction and Overview 

On 24th Feb. 2008, Pakistan Telecom started an unauthorized announcement of 
prefix 208.65.153.0/24 [14]. This announcement was propagated to the rest of 
the Internet, which resulted in the hijacking of YouTube traffic on a global scale. 
Incidents like this put in evidence how fragile is the Border Gateway Protocol 
(BGP) [llj . which is used to exchange routing information between Internet 
Service Providers (ISPs). Indeed, performing a hijacking attack is a relatively 
simple task. It suffices to issue a BGP announcement of a victim prefix from 
a border router of a malicious (or unaware) Autonomous System (AS). Part 
of the traffic addressed to the prefix will be routed towards the malicious AS 
rather than to the intended destination. A mischievous variation of the hijacking 
is the interception when, after passing through the malicious AS, the traffic is 
forwarded to the correct destination. This allows the rogue AS to eavesdrop or 
even modify the transit packets. 

In order to cope with this security vulnerability, a variant of BGP, called S- 
BGP [9] , has been proposed, that requires a PKI infrastructure both to validate 
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Table 1: Complexity of finding a hijack strategy in different settings. 



the correctness of the AS that originates a prefix and to allow an AS to sign its 
announcements to other ASes. In this setting an AS cannot forge announcements 
that do not derive from announcements received from its neighbors. However, 
[4] contains surprising results: (i) simple hijacking strategies are tremendously 
effective and (ii) finding a strategy that maximizes the amount of traffic that is 
hijacked is NP-hard both for BGP and for S-BGP. 

In this paper we tackle the hijacking and interception problems from a new 
perspective. Namely, given a traffic flow between two ASes, how difficult is it for 
a malicious AS to devise a strategy for hijacking or intercepting at least that 
specific flow? We show that this problem marks a sharp difference between BGP 
and S-BGP. Namely, while it is polynomial time solvable, under reasonable as- 
sumptions, for typical BGP attacks, it is NP-hard for S-BGP. This gives new 
complexity related evidence of the effectiveness of the adoption of S-BGP. Also, 
we solve an open problem 4 , showing when every hijack in S-BGP results in 
an interception. Tab. [T] summarizes our results. Rows correspond to different 
settings for a malicious AS to. The origin-spoofing setting (Sect. [2]) corresponds 
to a scenario where m issues BGP announcements pretending to be the owner 
of a prefix. Its degree of freedom is to choose a subset of its neighbors for such 
a bogus announcement. This is the most common type of hijacking attack to 
BGP [T]. In S-BGP (Sect. [3]) m must enforce the constraints imposed by S-BGP, 
which does not allow to pretend to be the owner of a prefix that is assigned to 
another AS. Columns of Tab. [T] correspond to different assumptions about the 
Internet. In the first column we assume that the longest valley-free path (i.e. 
a path enforcing certain customer-provider constraints) in the Internet can be 
of arbitrary length. This column has a theoretical interest since the length of 
the longest path (and hence valley-free path) observed in the Internet remained 
constant even though the Internet has been growing in terms of active AS num- 
bers during the last 15 years j8]. Moreover, in today's Internet about 95% of 
the ASes is reached in 3 AS hops [51. Hence, the second column corresponds to 
a quite realistic Internet, where the AS-path length is bounded by a constant. 
In the third column we assume that the number of neighbors of m is bounded 
by a constant. This is typical in the periphery of the Internet. A "P" means 
that a Polynomial-time algorithm exists. Since moving from left to right the set- 
ting is more constrained, we prove only the rightmost NP-hardness results, since 
they imply the NP-hardness results to their left. Analogously, we prove only the 
leftmost "P" results. 



1.1 A Model for BGP Routing 



As in previous work on intcrdomain hijacking we model the Internet as a 
graph G — (V, E). A vertex in V is an Autonomous System (AS). Edges in E are 
peerings (i.e., connections) between ASes. A vertex owns one or more prefixes, 
i.e., sets of contiguous IP numbers. The routes used to reach prefixes are spread 
and selected via BGP. Since each prefix is handled independently by BGP, we 
focus on a single prefix tt, owned by a destination vertex d. 

BGP allows each AS to autonomously specify which paths are forbidden 
{import policy), how to choose the best path among those available to reach a 
destination (selection policy), and a subset of neighbors to whom the best path 
should be announced (export policy). BGP works as follows. Vertex d initializes 
the routing process by sending announcements to (a subset of) its neighbors. 
Such announcements contain tt and the path of G that should be traversed by 
the traffic to reach d. In the announcements sent from d such a path contains just 
d. We say that a path P = (v„ ... uq) is available at vertex v if v„ announces 
P to V. Each vertex checks among its available paths that are not filtered by the 
import policy, which is the best one according to its selection policy, and then 
it announces that path to a set of its neighbors in accordance with the export 
policy. Further, BGP has a loop detection mechanism, i.e., each vertex v ignores 
a route if v is already contained in the route itself. 

Policies are typically specified according to two types of relationships [7] . In 
a customer-provider relationship, an AS that wants to access the Internet pays 
an AS which sells this service. In a peer-peer relationship two ASes exchange 
traffic without any money transfer between them. Such commercial relationships 
between ASes are represented by orienting a subset of the edges of E. Namely, 
edge (u,v) G E is directed from u to w if u is a customer of v, while it is 
undirected if u and v are peers. A path is valley-free if provider-customer and 
peer-peer edges are only followed by provider-customer edges. 

The Gao-Rexford 3 Export-all (GR-EA) conditions are commonly assumed 
to hold in this setting [4 . GRl: G has no directed cycles that would corre- 
spond to unclear customer-provider roles. GR2: Each vertex v € V sends an 
announcement containing a path P to a neighbor n only if path (n v)P is valley- 
free. Otherwise, some AS would provide transit to either its peers or its providers 
without revenues. GR3: A vertex prefers paths through customers over those 
provided by peers and paths through peers over those provided by providers. 
Shortest Paths: Among paths received from neighbors of the same class (cus- 
tomers, peers, and provider), a vertex chooses the shortest ones. Tie Break: 
If there are multiple such paths, a vertex chooses according to some tie break 
rule. As in [3], we assume that the one whose next hop has lowest AS number 
is chosen. Also, as in [5], to tie break equal class and equal length simple paths 
Pi = (u v)Pi and P2 = (u v)P2 at the same vertex u from the same neighbor 
V, if V prefers P^ over P2 , then u prefers P" over P^. This choice is called policy 
consistent in [5] and it can be proven that it has the nice property of making 
the entire set of policies considered in this paper policy consistent. NE policy: 
a vertex always exports a path except when GR2 forbids it to do so. 



Since we assume that the GR-EA conditions are satisfied, then a (partiahy 
directed) graph is sufficient to fully specify the policies of the ASes. Hence, in 
the following a BGP instance is just a graph. 

1.2 Understanding Hacking Strategies 

We consider the following problem. A BGP instance with three specific vertices, 
d, s, and m are given, where such vertices are: the AS originating a prefix tt, a 
source of traffic for tt, and an attacker, respectively. All vertices, but m, behave 
correctly, i.e., according to the BGP protocol and GR-EA conditions. Vertex m 
is interested in two types of attacks: hijacking and interception. In the hijacking 
attack m's goal is to attract to itself at least the traffic from s to d. In the 
interception attack m's goal is to be traversed by at least the traffic from s to d. 

In Fig. [T] (2,6) is peer-to-peer and the other edges are customer-provider. 
Prefix TT is owned and announced by d. According to BGP, the traffic from s 
to d follows (s 6 2 1 d). In fact, 2 selects (1 d). Vertex 6 receives a unique 
announcement from d (it cannot receive an announcement with (5 4 3 m 2 1 d) 
since it is not valley-free). By cheating, (Example 1) m can deviate the traffic 
from s to d attracting traffic from s. In fact, if m pretends to be the owner of 
TT and announces it to 2, then 2 prefers, for shortest-path, (2 m) over (2 1 d). 
Hence, the traffic from s to d is received by m following (s 6 2 m). A hijack! 

Observe that m could be smarter (Example 2). Violating GR2, it can an- 
nounce (2 1 d) to 3. Since each of 3, 4 and 5 prefers paths announced by customers 
(GR3), the propagation of this path is guaranteed. Therefore, 6 has two available 
paths, namely, (2 1 d) and (5 4 3 to 2 1 d). The second one is preferred because 
5 is a customer of 6, while 2 is a peer of 6. Hence, the traffic from s to d is 
received by to following path (s 6 5 4 3 m). Since after passing through m the 
traffic reaches d following (m 2 1 d) this is an interception. 

Fig. [5] allows to show a negative example (Example 3). According to BGP, 
the traffic from s to d follows (s 4 d). In fact, s receives only paths (4 d) and 
(12 3 d), both from a provider, and prefers the shortest one. Suppose that to 
wants to hijack and starts just announcing tt to 6. Since all the neighbors of s 
are providers, s prefers, for shortest path, (4 d) over (5 6 to) (over (12 3 d) 
over (4 9 8 7 m)) and the hijack fails. But to can use another strategy. Since 
(s 5 6 to) is shorter than (s 1 2 3 d), m can attract traffic if (4 d) is "disrupted" 
and becomes not available at s. This happens if 4 selects, instead of (d), a path 
received from its peer neighbor 9 (m may announce that it is the originator of 
TT also to 7). However, observe that if 4 selects path (4 9 8 7 to) then 5 selects 
path (5 9 8 7 m) since it is received from a peer and stops the propagation of 
(s 5 6 m). Hence, s still selects path (s 1 2 3 d) and the hijack fails. 

In order to cope with the lack of any security mechanism in BGP, several 
variations of the protocol have been proposed by the Internet community. One of 
the most famous, S-BGP, uses both origin authentication and cryptographically- 
signed announcements in order to guarantee that an AS announces a path only 
if it has received this path in the past. 



Fig. 1: A network for Examples 1 and 
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Fig. 3: Reduction of the 3-SAT prob- 
lem to the HIJACK problem when m 
has origin-spoofing capabilities. Dotted 
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length 2n + 2. 

Fig. 2: A network for Example 3. 

The attacker m has more or less constrained cheating capabilities. 1. With 
the origin- spoofing cheating capabilities m can do the typical BGP announce- 
ment manipulation. I.e., m can pretend to be the origin of prefix tt owned by d, 
announcing this to a subset of its neighbors. 2. With the S-BGP cheating capa- 
bilities m must comply with the S-BGP constraints. I.e.: (a) m cannot pretend 
to be the origin of prefix tt; and (b) m can announce a path (m u)P only if u 
announced P to m, in the past. However, m, can still announce paths that are 
not the best to reach d and can decide to announce different paths to different 
neighbors. In Example 2, m has S-BGP cheating capabilities. 

In this paper we study the computational complexity of the HI.TACK and of 
the INTERCEPTION problems. The hijack problem is formally defined as fol- 
lows. Instance: A BGP instance G, a source vertex s, a destination vertex d, a 
manipulator vertex m, and a cheating capability for m. Question: Does there 
exist a set of announcements that rn can simultaneously send to its neighbors, 
according to its cheating capability, that produces a stable state for G where 
the traffic from s to d goes to m? The interception problem is defined in the 
same way but changing "the traffic from s to d goes to m" to "the traffic from 
s to d passes through m before reaching d" . 

1.3 Notation and Definitions 



We introduce some technical notation in order to prove our lemmas and theorems. 
A ranking function determines the level of preference of paths available at vertex 
V. If P\,P2 are available at v and Pi is preferred over P2 we write Pi <^ P2. 



The concatenation of two nonempty paths P = {vk Vk-i ■ ■ ■ Vi), k > i, and Q = 
{vi Vi-i . . . vo), i > 0, denoted as PQ, is the path {vk Vk-i ■ ■ ■ Wj+i Vi Vi^i . . . vq). 
Also, let P be a valley-free path from vertex v. We say that P is of class 3, 2, 
or 1 if its first edge connects v with a customer, a peer, or a provider of v, re- 
spectively. We also define a function f" for each vertex v, that maps each path 
from V to the integer of its class. Given two paths P and P' available at v if 
f ^{P) > f^{P') we say that the class of P is better than the class of P' . In stable 
routing state S, a path P ~ {vi ... v„) is disrupted at vertex Vi by a path P' if 
there exists a vertex Vi of P such that Vi selects path P'. Also, if P' is preferred 
over (vi ... Vn) because of the GR3 condition, we say that path P is disrupted 
by a path of a better class. Otherwise, if P' is preferred over {vi ... w„) because 
of the shortest-paths criterion, we say that P is disrupted by a path of the same 
class. 

1.4 Routing Stability under Manipulator Attacks 

BGP policies can be so complex that there exist configurations that do not 
allow to reach any stable routing state (see, e.g., [B]). A routing state is stable 
if there exists a time t such that after t no AS changes its selected path. If the 
GR-EA conditions are satisfied then a BGP network always converges to a 
stable state. However, there is a subtle issue to consider in attacks. As we have 
seen in the examples, m can deliberately ignore the GR-EA conditions. Anyway, 
the following lemma makes it possible, in our setting, to study the hijack and 
the INTERCEPTION problem ignoring stability related issues. First, we introduce 
some notation. 

Lemma 1. Let G be a BGP instance and suppose that at a certain time a ma- 
nipulator m starts announcing steadily any set of arbitrary paths to its neighbors. 
Routing in G converges to a stable state. 

Proof. Suppose, for a contradiction, that, after m starts its announcements, rout- 
ing in G is not stable. Let mq, . . . , w„ be a circular sequence of vertices such that: 
(1) each Ui docs not steadily announce a path; (2) the most preferred path 
pui _ ji^Q^ _ ^ ^ _ '''k^)Qi Ui that is available infinitely many times is 
such that each vertex in Qi but r^' steadily announces a path; and (3) r^' = Mi+i, 
where i has to be interpreted modulo n. Such a circular sequence is called dispute- 
wheel and it has been proved in {5j that if a system (with no manipulators) is not 
stable then it contains a dispute- wheel. We prove that the presence of a dispute- 
wheel in a GR-EA instance leads to a constradiction. Hence, a GR-EA instance 
always converges to a stable state. Observe that > 2, otherwise Ui would 
be stable. Since m and d steadily announce some paths and because G is finite, 
such a sequence exists. Observe that for each i, we have that Qi^i P"'. 

Suppose that for each Ui we have that P"' is preferred over Qi-i either by 
shortest path or by tie-break, i.e., /"-(Qi-i) = f"'(p^^) and \Q^-l\ > \P"'\. 
Inequality \Ri\ > 2 implies |P"'| > \Qi\. Hence, we have \Qi-i\ > |P"*| > \Qi\ > 
|P"i+i Following the cycle of inequalities we have a contradiction as we obtain 

IQ^I > 10^1- 



Conversely, let vertex that prefers P"™ over Qm-i for better class, 

that is /"-(P"".) > p-^iQm-i). For each i = 0,...,m - l,m + we 
have /"-(P".) > /"'(Qi-i) > because of the GR2 and GR3 con- 

ditions. Following the cycle of inequalities we have a contradiction as we obtain 
/""(P'"™) > /""(P""). □ 

The existence of a stable state (pure Nash equilibrium) in a game where 
one player can deviate from a standard behavior has been proved, in a different 
setting in [2] . Such a result and Lemma [T] are somehow complementary since 
the export policies they consider are more general than Export- All, while the 
convergence to the stable state is not guaranteed (even if such a stable state is 
always reachable from any initial state). 



2 Checking if an Origin-Spoofing BGP Attack Exists 

In this section, we show that, in general, it is hard to find an attack strategy 
if m has an origin-spoofing cheating capability (Theorem [T|), while the problem 
turns to be easier in a realistic setting (Theorem [2]) . 

A hijacking can be obviously found in exponential time by a simple brute 
force approach which simulates every possible attack strategy and verifies its 
effectiveness. The following result in the case the Internet graph has no bound 
constraints may be somehow expected. 

Theorem 1. // the manipulator has origin- spoofing cheating capabilities, then 
problem HIJACK is NP-hard. 

Proof. We prove that hijack is NP-hard by a reduction from the 3-SAT problem. 
Let P be a logical formula in conjunctive normal form with variables Xi . . . Xn 
and clauses Ci . . .Ch where each clause Ci contains three literals. We construct 
a GR-EA compliant BGP instance G as follows. 

Graph G consists of 4 structures: the Intermediate structure, the Short 
structure, the Long structure, and the Disruptive structure. See Fig. [3l 

The Intermediate structure is the only portion of G containing valley-free 
paths joining s and m that are shorter than the one contained in the Long 
structure. It is composed by edge (rn,gi) and two directed paths from s to qi 
of length 2n: the first path is composed by edges {s,t„), {t„,q„), {qn,tn-i), 
), {qn-i,tn-2), • ■ • , (^2,92), {q2,ti), and {ti,qi) while the second path 
is composed_by edges_(s,f„), (^„,g„), (g„,t„_i), (f„_i,g„_i), {q„-i,t„^2), 
(^2, Q2), (?2, ii), and {ti,qi). Obviously, these two paths can be used to construct 
an exponential number of other paths. We say that a path traverses the Inter- 
mediate structure if it passes through vertices s and qi . 

The Short structure consists of h paths joining s and d. Each path has length 
4 and has edges (s, c^.i), (q^i, Ci^2), (ci,2, Q^s), and (ci_3, d) (1 <i < h). The Long 
structure is a directed path of length 2n + 3 with edges (s, wi), {wi, W2), ■ ■ ■ , 
(w2n+i, W2„+2), and {w2n+2,d). The Disruptive structure is composed by 2n 
paths plus 3/1 edges. The 2n paths are defined as follows. For 1 < i < n we define 



two paths. The first path contains a directed subpath of length 2n + 2 from m 
to Xi (dotted hnes in Fig. phis the undirected edge {xi,ti). The second path 
contains a directed subpath of length 2n + 2 from m to Xi (dotted lines in Fig. [3]) 
plus the undirected edge {xi,ti). The 3h edges are added to G as follows. For 
each clause Ci and each literal Lij of Ci, which is associated to a variable Xk, if 
Li J is positive, then we add (xk,Cij), otherwise we add {xk,Cij). We say that 
a path traverses the Disruptive structure if it traverses it from m to s. 

Vertices s, d, and m have source, destination, and manipulator roles, respec- 
tively. 

Intuitively, the proof works as follows. The paths that allow traffic to go 
from s to m are only those passing through the Disruptive structure and the 
Intermediate structure. Also, the paths through the Intermediate structure 
are shorter than the one through the Long structure, which is shorter than 
those through the Disruptive structure. 

If m does not behave maliciously, s receives only paths that traverse the 
Short structure and the Long structure. In this case s selects one of the paths 
in the Short structure according to its tie break policy. 

Observe that if m wants to attract traffic from s, then: (i) a path from m 
traversing entirely the Intermediate structure has to reach s and (ii) all paths 
contained in the Short structure have to be disrupted by a path announced 
by m. 

Observe that only valley-free paths contained in the Intermediate struc- 
ture, which have length at least 2?! + 2, can be used to attract traffic from s. If 
(i) does not hold, then s selects the path contained in the Long structure or 
a path contained in the Short structure. If (ii) does not hold, then s selects a 
path contained in the Short structure. 

Our construction is such that the 3-SAT formula is satisfiable iff m can attract 
the traffic from s to d. To understand the interplay between our construction 
and the 3-SAT problem, consider (see Fig. [3]) the behavior of m with respect 
to neighbors X2 and X2- If m wants to disrupt path (s ci^i ci_2 ci^a d) (which 
corresponds to making clause Ci true) it might announce the prefix to X2- This 
would have the effect of disrupting (s ci_i ci^2 ci_3 d) by better class. Observe 
that at the same time this would disrupt all the paths through ^2- If to is able 
to disrupt all the paths in the Short structure, then s has to select a path 
in the Intermediate structure. However, m has to be careful for two reasons. 
First, m has to announce the prefix to qi (otherwise no path can traverse the 
Intermediate structure). Second, m cannot announce the prefix both to X2 
and to X2 (variable X2 cannot be true and false at the same time). In this case, 
all the paths through t2 and ^2 are disrupted. Also, consider that the paths that 
reach s through ^2 and X2 (^2 and X2) and that remain available are longer than 
the one in the Long structure. 

Now we show that if F is satisfiable, then m can attract traffic from s. Let 
Af be a truth assignment to variables Xi, . . . , X„ satisfying formula F. Let m 
announce to its neighbors paths as follows: if {i = 1, . . . , n) is true then m 



announces the prefix to Xi and does not announce anything to x^; otherwise m 
does the opposite. Also, the prefix in announced to qi in all cases. 

We have that: 1. all paths (one for each clause) in the Short structure are 
disrupted by better class from the paths in the Disruptive structure; 2. one 
path belonging to the Intermediate structure is available at s; 3. the path in 
the Long structure, available at s, is longer than the path in the Intermediate 
structure. Hence, m can attract traffic from s. 

Now we prove that if manipulator m can attract traffic from s, then F is 
satisfiable. 

We already know from the above discussion that m can attract traffic from 
s only using paths that traverse the Intermediate structure entirely. We also 
know that these paths are longer than paths contained in the Short structure 
and therefore, every path contained in the Short structure has to be disrupted. 
We have that paths contained in the Short structure can be disrupted only 
by using paths contained in the Disruptive structure. Let V* be the set of 
neighbors of m different from qi that receive an announcement of the prefix 
from m. Observe that s, to attract traffic from m, has to announce the prefix 
to qi. From the above discussion we have that for z = 1, . . . , n it is not possible 
both for Xi and for Xi to receive the announcement. Also, since all paths in the 
Short structure have been disrupted, for j = 1, . . . , /i at least one of the Cj^k 
{k = 1,2,3) receives an announcement of the prefix from m. Hence, we define 
an assignment M, which satisfies formula as follows: for each i = 1, . . . , n, if 
x^&V\ then M{Xi) = T, otherwise M(X,) = _L. □ 

Surprisingly, in a more realistic scenario, where the length of valley-free paths 
is bounded by a constant k, we have that in the origin-spoofing setting an attack 
strategy can be found in polynomial time {n'-"^'^\ where n is the number of 
vertices of G). Let be the set of neighbors of m. Indeed, the difficulty of 
the HIJACK problem in the origin-spoofing setting depends on the fact that m 
has to decide to which of the vertices in A^ it announces the attacked prefix 
TT, which leads to an exponential number of possibilities. However, when the 
longest valley-free path in the graph is bounded by a constant /c, it is possible to 
design a polynomial-time algorithm based on the following intuition, that will be 
formalized below. Suppose m is announcing tt to a subset A G N oi its neighbors 
and path p = {z ... n m) is available at an arbitrary vertex z of the graph. Let 
711,71.2 be two vertices oi N \ A. li p is disrupted (is not disrupted) by better 
class both when tt is announced either to ni or to ?t.2, then p is disrupted (is not 
disrupted) by better class when tt is announced to both ni and n2. This implies 
that once m has a candidate path p* for attracting traffic from s, it can check 
independently to which of its neighbors it can announce tt without disrupting p* 
by better class, which guarantees that a path from m to z longer than p cannot 
be selected at z. 

In order to prove Theorem [31 we introduce the following lemmata that relate 
attacks to the structure of the Internet. 



Lemma 2. Consider a valley- free path p — (u„ ... vi) and consider an attack 
of m such that vi announces a path to V2 to reach prefix n and p is possibly 
disrupted only by same class. Vertex w„ selects a path pn PPvi ■ 

Proof. We prove inductively that each vertex Vi in p selects a path pi 
{vi ... vi) such that |k| < Ki^i ... tii)!. In the base case {n = 1), the statement 
holds since pi pi and \pi\ < \pi\. In the inductive step (n > 1), by induction 
hypothesis and NE policy, vertex Vi receives a path pi^i from vertex such 
thatpi_i <^'~^ (vi-i ... vi) and \pi-i\ < \{vi-i ... ) | . Two cases are possible: 
Pi-i contains vt, or not. In the second case, Vi selects a path pi {vi Vi-i)pi-i 
and since path {vi ... vi) is disrupted only by same class, we have also \pi\ < 
\{vi Vi-i)pi-i\ < \{vi . . . vi)\. In the first case, let p' be the subpath of from 
Vi. Observe that since {vi is a valley-free path and vertex Vi is repeated 

in that path, we have that f'"'{p') > f'"'{{vi Vi-i)pi-i) ~ f^^{vi . . . wi), which 
is not possible since {vi ... vi) cannot be disrupted by better class. □ 

Lemma 3. Consider a successful attack for m and let psm be the path selected 
at s. Let psd be a valley-free path from s to d .such that it does not traverse m 
and .such that psd <\ Psm- Path psd is disrupted by a path of better class. 

Proof. Suppose by contradiction that there exists a valley-free path psd from s to 
d such that Psd <x Psm and Psd is not disrupted by a path of better class. If Psd 
is not disrupted, then it is available at vertex s. It implies that s selects Psd as its 
best path, which leads to a contradiction. Otherwise, suppose Psd is disrupted 
only by same class. By Lemma [2] we have a contradiction since s selects a path 
P <i (Psd) <i (psm) different fromps,„. □ 

Lemma 4. Let p — (w„ ... vi) be a valley-free path. Consider an attack where 
Vi announces a path pi to vi . Vertex selects a path of class at least (jf) . 

Proof. We prove that each vertex Vi in p selects a path pi such that f'"'{pi) > 
f'"^{vi ... ui). In the base case {n — 1), the statement holds since f'"^{pi) > 
f"^{pi). In the inductive step {n > 1), by induction hypothesis and NE pol- 
icy, vertex Vi receives a path pi-i from vertex Vi^i such that /"'-^(pi-i) > 
/"'"^(wi-i • • • vi). Two cases are possible: contains Vi or not. In the sec- 
ond case, Vi selects a path pi (vi Vi-i)pi-i which implies that f^^{pi) > 
f'"^{vi . . . vi). In the first case, let p' be the subpath of pi-i from Vi. Observe 
that since {vi is a valley-free path and vertex Vi is repeated in that 

path, we have that, f^^{p') > f'"'{{vi = f'"'{vi . . . ui), and the state- 

ment holds also in this case. □ 

Theorem 2. // the manipulator has origin-. spoofing cheating capabilities and 
the length of the longest valley-free path is bounded by a constant, then problem 
HIJACK is in P. 

Proof. We tackle the problem with Alg. [T] First, observe that line 9 tests if 
a certain set of announcements causes a successful attack and, in that case, it 



Algorithm 1 Algorithm for the hijack problem where m has origin-spoofing 
capabilities and the longest valley-free path in the graph is bounded. 

1: Input: instance of hijack problem, m has origin-spoofing cheating capabihties; 
2: Output: an attack pattern if the attack exists, fail otherwise; 
3: let Pam be the set of all valley-free paths from a to m; 
4: for all psm in Psm do 

5: let w be the vertex of psm adjacent to m; let A be a set of vertices and initialize 

A to {w}; let A'^ be the set of the neighbors of m; 
6: for all n in A'^ \ {w} do 

7: if there is no path p through (m, n) to a vertex x of psm such that (p) > 

f^iPxm), where Pxm is the subpath of psm from a; to m then 
8: insert n into A 

9: if the attack succeeds when m announces n only to the vertices in A then 
10: return A 

11: return fail 



returns the corresponding set of neighbors to whom m announces prefix tt. Hence, 
if Alg.[T] returns without failure it is trivial to see that it found a successful attack. 
Suppose now that there exists a successful attack a* from m that is not found 
by Alg. [1] Let p*„j be the path selected by s in attack a* . Let A* be the set of 
neighbors of m that receives prefix tt from m in the successful attack. 

Consider the iteration of the Alg. [1] where path p*„ is analyzed in the outer 
loop. At the end of the iteration Alg. [T] constructs a set A of neighbors of m. Let 
a be an attack from m where m announces n only to the vertices in A. 

First, we prove that A* C A. Suppose by contradiction that there exists a 
vertex n G A* that is not contained in A. It implies that there exists a valley-free 
path p through {m,n) to a vertex x of p*„j such that /^(p) > f^{pxrn), where 
Pxm is the subpath oip*^ from x to m. Since m announces tt to n, by Lemma SI 
we have that x selects a path p' of class at least f^{p), that is a contradiction 
since p*„ would be disrupted by better class. Hence, A* C A. 

Now, we prove that attack a is a successful attack for m. Consider a valley- 
free path psd from s to d that does not traverse m and is preferred over p*„ . By 
Lemma[2]it is disrupted by better class in attack a*. By LemmajH since A* C A, 
we have that also in a path psd is disrupted by better class. Let x be the vertex 
adjacent to s in p^d- Observe that, vertex s cannot have an available path (s x)p 
to d such that (s x)p <\ because (s x)p must be disrupted by better class. 

Moreover, consider path Since in a* path is not disrupted by better 
class by a path to d, by Lemma 31 there does not exist a path p'^^ from a vertex 
x oi pI^ to d of class higher than Pxm, where Pxm is the subpath of p*„j from x 
to m. Hence, path p*„j cannot be disrupted by better class by a path to d. Also, 
observe that for each n ^ A there is no path p through (m, n) to a vertex x of 
p*„j such that f^ip) > f^{pxm), where pxm is the subpath oi p^m from x to m. 
Hence, p*„j can be disrupted only by same class. By Lemma [5J we have that s 
selects a path p such that p <\ Plm- Since path p cannot be a path to d, attack 
a is successful. This is a contradiction since we assumed that Alg. [T] failed. 



Finally, since the length of the valley-free paths is bounded, the iterations of 
the algorithm where paths in are considered require a number of steps that 
is polynomial in the number of vertices of the graph. Also, the disruption checks 
can be performed in polynomial time by using the algorithm in [12) . □ 

3 S-BGP Gives Hackers Hard Times 

We open this section by strengthening the role of S-BGP as a security protocol. 
Indeed, S-BGP adds more complexity to the problem of finding an attack strat- 
egy (Theorem [Sj . After that we also provide an answer to a conjecture posed 
in [1] about hijacking and interception attacks in S-BGP when a single path 
is announced by the manipulator. In this case, we prove that every successful 
hijacking attack is also an interception attack (Theorem [5]) . 

Theorem 3. // the manipulator has S-BGP cheating capabilities and the length 
of the longest valley-free path is hounded by a constant, then problem HIJACK is 
NP-hard. 

Proof. We reduce from a version of 3-SAT where each variable appears at most 
three times and each positive literal at most once [10] . Let F be a logical formula 
in conjunctive normal form with variables Xi . . . Xn and clauses Ci . . . Ch- We 
build a BGP instance G (see Fig. HI consisting of 4 structures: Intermediate, 
Short, Long, and Disruptive. The Long structure is a directed path of length 
6 with edges (s,wi), (^1,^2), (^4,^5), and {w5,d). The Intermediate 
structure consists of a valley- free path joining m and s. It has length 4 and it is 
composed by a directed path (s js j2 ji), and a directed edge (m, ji). The Short 
structure has h directed paths from s to d. Each path has length at most 4 and 
has edges (s, q^i), (ci_i,Ci.2), . . . , (c^ ^jc.), d) (1 < i < h), where v(Ci) is the size 
of Ci. The Disruptive structure contains, for each variable Xi vertices, r^, ti, 
Xi, Pi and Vertices, ri,ti, and reached via long directed paths from m 

and are connected by {ti,pi), {xi,pi), {xi,p[), (rijs), (pijs), and {pi, d). Finally, 
suppose Xi occurs in clause Cj with a literal in position I. If the literal is negative 
the undirected edge {pi,Cjj) is added, otherwise, edges {pi,Cj^i), {ri, Cjj), (cjjjjs), 
and undirected edge (p'^, cj^i) are added. An edge connects m to d. Vertices s, d, 
and m have source, destination, and manipulator roles, respectively. 

Intuitively, the proof works as follows. The paths that allow traffic to go 
from s to m are only those passing through the Disruptive structure and the 
one in the Intermediate structure. Also, the path through the Intermediate 
structure is shorter than the one through the Long structure, which is shorter 
than those through the Disruptive structure. If m does not behave maliciously, 
s receives only paths traversing the Short structure and the Long structure. 
In this case s selects one of the paths in the Short structure according to its tie 
break policy. If m wants to attract traffic from s, then: (i) path (j3 j2 ji m d) 
must be available at s and (ii) all paths contained in the Short structure must 
be disrupted by a path announced by m. If (i) does not hold, then s selects the 



path contained in either the Long structure or the Short structure. If (ii) does 
not hold, then s selects a path contained in the Short structure. 

Our construction is such that the 3-SAT formula is true iff m can attract 
the traffic from s to d. To understand the relationship with the 3-SAT problem, 
consider the behavior of ni with respect to variable Xi (see Fig. U) that appears 
with a positive literal in the first position of clause C'l , a negative literal in the 
first position of C2 and a negative literal in the second position of Ch- 

First, we explore the possible actions that m can perform in order to disrupt 
paths in the Short structure. Since m has S-BGP cheating capabilities, m is 
constrained to propagate only the announcements it receives. If m does not 
behave maliciously, m receives path (d) from d and paths , Pti , and P^^ 
from ri, ti, and xi, respectively. These paths have the following properties: P^^ 
contains vertex ci^ that is contained in the path of the Short structure that 
corresponds to clause Ci; paths Pt^ and P^^ both contain vertex pi and do not 
contain vertex ci_i since pi prefers (pi d) over (pi ci.i ci^2 ci_3 d). 

Now, we analyze what actions are not useful for m to perform an attack. If m 
issues any announcement towards ti or ri the path traversing the Intermediate 
structure is disrupted by better class. Also, if m sends a path P^i , Pti , or P^^ 
towards rj, tj, or Xj, with j = 2, . . . ,n, the path traversing the Intermediate 
structure is disrupted by better class. Also, if m sends (m d) to a;i, then the 
path traversing the Intermediate structure is disrupted from ci_i by better 
class. If m sends Px^ to xi, then it is discarded by xi because of loop detection. 
In each of these cases m cannot disrupt any path traversing the Short structure 
without disrupting the path traversing the Intermediate structure. Hence, m 
can disrupt path in the Short structure without disrupting the path traversing 
the Intermediate structure only announcing and Pt^ from m towards xi. 

If path is announced to xi, then pi discards that announcement because 
of loop detection and path (s ci_i ci^2 ci_3 d) is disrupted bomp'i by better class. 
Also, the path through the Intermediate structure remains available because 
the announcement through p'^ cannot reach J3 from ci^i, otherwise valley- freeness 
would be violated. Hence, announcing path Pj^ , corresponds to assigning true 
value to variable Xi, since the only path in the Short structure that is disrupted 
is the one that corresponds to the clause that contains the positive literal of Xi . 

If path Prj is announced to xi, then ci^i discards that announcement because 
of loop detection and both paths (s C2,i 02,2 C2,3 d) and (s Ch^i Ch,2 Ch,3 d) are 
disrupted by better class from pi. Also, the path through the Intermediate 
structure remains available because the announcement through pi cannot reach 
J3 from C2,i or c/1.2, otherwise valley-freeness would be violated. Hence, announc- 
ing path Pr J , corresponds to assigning false value to variable Xi , since the only 
paths in the Short structure that are disrupted are the ones that correspond 
to the clauses that contain a negative literal of Xi . 

Hence, announcing path Pt^ {Pri ) from m to xi corresponds to assigning 
the true (false) value to variable Xi. As a consequence, m can disrupt every 
path in the Short structure without disrupting the path in the Intermediate 
structure iff formula F is satisfiable. □ 



Theorem 4. // the manipulator has S-BGP cheating capabilities and its degree 
is hounded by a constant, then problem hijack is in P. 

Proof. Observe that if the manipulator m has S-BGP cheating capabihties, the 
degree of the manipulator's vertex is bounded by a constant fc, then problem 
HIJACK is in P. In fact, since m has at most k available paths plus the empty 
path, a brute force approach approach needs to explore {k + 1)'^ number of 
possible cases. □ 

To study the relationship between hijacking and interception we introduce 
the following technical lemma. 

Lemma 5. Let G be a GR-EA compliant BGP instance, let m be a vertex with 
S-BGP cheating capabilities, and let d ^ m be any vertex of G. All vertices that 
admit a class c valley-free path to d not containing m have an available path of 
class c or better to d, irrespective of the paths propagated by m to its neighbors. 

Proof. Let p = (u„ ... ui) be a valley-free path to d not containing m. We 
prove by induction on vertices ui , . . . , u„ that each vertex Vi has an available 
path of class f'"'{vi ... vi) or better. In the base case i — 2, V2 is directly 
connected to d and the statements trivially holds. Suppose that vertex Vi, with 
i > 2, has an available path of class f^'{vi ... vi). Hence, Vi selects a path p* 
such that f^'ip*) > f^'{vi . . . vi). Also, since (w^+i Vi . . . vi) is valley-free even 
{vi+i Vi)p* is valley-free. Then, Vi announces (because of the NE policy) its best 
path p* to Vi+i. There are two possible cases: either p* does not contain Vi+i 
or not. In the first case, path (w^+i Vi)p* is available at Ui+i and the statement 
holds. In the second case, consider the subpath p^.^^ of p* from Vi+i to d. The 
statement easily follows because > Vi)p* . □ 

Theorem 5. Let m be a manipulator with S-BGP cheating capabilities. If m an- 
nounces the same path to any arbitrary set of its neighbors, then every successful 
hijacking attack is also a successful interception attack. If m announces different 
paths to different vertices, then the hijacking may not be an interception. 

Proof. We prove the following more technical statement that implies the first 
part of the theorem. Let G be a BGP instance, let to be a vertex with S-BGP 
cheating capabilities. Let p be a path available at to in the stable state S reached 
when TO behaves correctly. Suppose that to starts announcing p to any subset of 
its neighbors. Let S' be the corresponding routing state. Path p remains available 
at vertex to in 5". The truth of the statement implies that to can forward the 
traffic to d by exploiting p. 

Suppose for a contradiction that path p is disrupted in S' when to propagates 
it to a subset of its neighbors. Let x be the first vertex of p that prefers a different 
path px (p is disrupted by Px) in 5" and let p' be the subpath of p from vertex d 
to X (see Fig. [5]) . Observe that p is not a subpath of Px as x cannot select a path 
that passes through itself. Since Px is not available at x in S, let y be the vertex 
in Px closest to d that selects a path py that is preferred over p'^ in S, where p'x 
is the subpath of Px from y to d. 
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Fig. 5: Proof of Theorem [5] (a) 
The order of paths into the 
boxes represents the preference 
of the vertices. 




Fig. 4: Reduction of a constrained 3-SAT prob- Fig. 6: An instance where m 
lem to the hijack problem when m has S-BGP cannot intercept traffic to d but 
cheating capabihties. it can hijack it. 



We have two cases: either f^{px) > f^{p') or f^{px) = f^{p') (i-e., Px is 
preferred to p' by better or by same class). 

Suppose that f^{px) > f^{p')- By Lemma [5l since there exists a valley- free 
path Px from x to d that does not traverse m, then x has an available path of 
class at least f^{px)- Hence, x cannot select path p' in S, a contradiction. 

Suppose that f^ipx) = f^{p')- Two cases are possible: either py contains x 
or not. In the first case either fy{py) > fy{p'^) or fy{py) = P{Px)- If P{Py) > 
fy{p'x), then we have that P{py) < f^{p') = f^{Px) < P{Px)^ ^ contradiction. 
If f^iPy) = Pip'x)^ have that \p'^\ < \px\ < \p'\ < \py\- A contradiction since 
a longer path is preferred. 

The second case {f^{px) = f^{p') andpj, does not contain x) is more complex. 
We have that \p'\ > \px\- Also, by Lemma[5j since Py and p'^ do not pass through 
m, then y has an available path of class at least ma.x{fy{py), fy{p'^)}. As y 
alternatively chooses py and p'^ we have that f^{py) = f^{p'^), which implies 
that Ip^I > \py\. Denote by Pxy the subpath (vm ■■■Vq) of Px, where vq = y 
and w„i — X. Consider routing in state 5'. Two cases are possible: either PxyPy 
is available at x or not. In the first case, since \p'\ > \px\ = \PxyP'x\ ^ \PxyPy\, 
we have a contradiction because p' would not be selected in S. In the second 
case, we will prove that for each vertex ^ a; in pxy we have that \pfi\ < 
\{vh ... VQ)py\^ where ph is the path selected by Vh in S. This implies that 
i)pm-i\ < \PxyPy\ < \Px\ < \p' \ and this leads to a contradiction. In 
fact, if I (I'm Vm-i)Pm-i\ < \p'\, then we have a contradiction because p' would not 
be selected in S. Otherwise, if \{vm Vm-i)Pm-i\ = \p'\, we have that \px\ = \p'\- 
Then, x prefers px over p' because of tie break. We have a contradiction since 
also (vm Vm-i)Pm-i IS preferred over p' because of tie break in S. 

Finally, we prove that for each vertex Vh ^ x in Pxy we have that \ph\ < 
\{vh ■ ■ .vo)py\. This trivially holds for vq = y. We prove that if it holds for Vi 



then it also holds for Wi+i. If Vi^i selects (wi+i Vi)pi, then the property holds. 
Otherwise, (wi+i Vi)pi is disrupted either by better class or by same class by a 
path Pi+i - In the first case, we have that either Pi+i traverses m or not. Suppose 
Pi+i traverses m and let q' be the neighbor of v^+i on Pi+i- Since pi+i disrupts 
(wi+i Vi)pi by better class, then p^+i is composed by a directed path from d to q' 
and an edge (q', w^+i) that can be either an oriented edge from q' to u^+i or an 
unoriented edge. Let n be the neighbor of m on p and n' be the neighbor of n on 
p different from m. Consider the relationship between n and n' . Suppose n is a 
customer or a peer of n'. If m is a provider or a peer of n, then p is not valley- free 
and p cannot be available at m in 5, which leads to a contradiction. Otherwise, if 
m is a customer of n, then n would have preferred the best path from its customer 
m rather than the path learnt from its provider n' . It implies that p would not be 
available at m in S, that is a contradiction. Hence, n is a provider of n' and the 
subpath oi p from d to n is a directed path. Since f^{px) = f^{p'), we have that 
also Px is a directed path from d to x. Therefore, v^+i is a provider of Vi and so 
{vi+i Vi)pi would not be disrupted by better class in 5, which is a contradiction. 
Hence, Pi+i does not traverse m. By Lemma O a path of a class better than 
{vi+i . . . vo)Px is available at w^+i and so Wi+i cannot select (wi+i . . . vo)p'x in 
S", a contradiction. In the second case ((fi+i Vi)pi is disrupted by same class by 
a path Pi+i) we have that \pi+i\ < K^i+i Vi)pi\ < . . . VQ)py\. The second 

inequality comes from the induction hypothesis. 

This concludes the first part of the proof. For proving the second part we 
show an example where m announces different paths to different neighbors and 
the resulting hijacking is not an interception. Consider the BGP instance in 
Fig. El In order to hijack traffic from s, vertices 1 and 4 must be hijacked. Hence, 
m must announce (m 3 4 d) to 2 and (m 2 1 d) to 3. However, since (3 4 d) and 
(2 1 d) are no longer available at m the interception fails. □ 



4 Conclusions and Open Problems 

Given a communication flow between two ASes we studied how difficult it is for 
a malicious AS m to devise a strategy for hijacking or intercepting that flow. 
This problem marks a sharp difference between BGP and S-BGP. Namely, while 
in a realistic scenario the problem is computationally tractable for typical BGP 
attacks it is NP-hard for S-BGP. This gives new evidence of the effectiveness 
of the adoption of S-BGP. It is easy to see that all the NP-hardness results 
that we obtained for the hijacking problem easily extend to the interception 
problem. Further, we solved a problem left open in [J, showing when performing 
a hijacking in S-BGP is equivalent to performing an interception. 

Several problems remain open: 1. We focused on a unique m. How difficult 
is it to find a strategy involving several malicious ASes [3]? 2. In [T3] it has been 
proposed to disregard the AS-paths length in the BGP decision process. How 
difficult is it to find an attack strategy in this different model? 
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